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CN ■ Abstract 

T-H ■ 

(^ \ The interleaving of chaos and cryptography has been the aim of a large set of works since the beginning 

O^l ■ of the nineties. Many encryption proposals have been introduced to improve conventional cryptography. 

$-H ' However, many of those proposals possess serious problems according to the basic requirements for the secure 

^jH. exchange of information. In this paper we highlight some of the main problems of chaotic cryptography by 

means of the analysis of a very recent chaotic cryptosystem based on a one round Substitution Permutation 

pv^ . Network. More specifically, we show that it is not possible to avoid the security problems of that encryption 

architecture just by including a chaotic system as core of the derived encryption system. 

r^ , Keywords: image encryption, Substitution Permutation Networks, permutation-only ciphers, unimodal 

r\ ' maps, chosen-plaintext attack. 

d: 

"3 ■ 

I— I' 1. Introduction 

^^ ■ The plinth of cryptography is built upon the properties of confusion and diffusion as stated by Shannon 

i!^ \ in 1949 [l|, which can be linked to the main characteristics of chaotic systems: ergodicity and sensitivity to 

^^ ■ control parameters and initial conditions. The connection between the basic coordinates of cryptography 

OO \ and chaotic systems has paved the research on chaotic cryptography [3|. A lot of different methods have 

^^D ■ been proposed in the field of chaos-based cryptography, but most of them show very serious security flaws [2|, 

fT^ \ Chapters 8 and 9] . A very important family of chaotic cryptosystems is the one inheriting the characteristics 

^^ ■ of the Substitution- Permutation Networks (SPNsV, as it is explained in [3|. This kind of architecture is not 

Cn I secure unless the avalanche criterion is satisfied [4|. As matter of fact, the inclusion of chaotic systems in 

". , ■ this kind of architecture does not guarantee security and the assessment of the avalanche property should 

^ I be thoroughly carried out [5|, |6[ . In [7| a chaotic cryptosystem is proposed to encrypt colour images through 

the permutation of their columns and rows, along with a substitution procedure based on the logistic map. 
From a general point of view, this cryptosystem can be interpreted as one round of a SPN. This kind 
C^ . of architecture present a very low level of confusion and security pitfalls if the substitution stage can be 

rewritten as a way to change the plaintext according to a key stream which is independent of the plaintext. 
As we will discuss along this paper, this is the case of the cryptosystem described in [7[. 

The rest of the paper is organized as follows. In Sec.[2]it is described the cryptosystem under examination. 
With the aim of underlining the shortcomings of this encryption scheme, we discuss in Sec.[3]some limitations 
with respect to the dynamical system bearing encryption, to the key space and, finally, in regards to the 
diffusion property of the cryptosystem. The analysis is complemented by remarking the vulnerability of the 
cryptosystem against a chosen-plaintext attack. In this concern, we explain along Sec. 2] how to elude the 
security laying on the encryption architecture selected in [7|. Finally, in Sec. [5] we summarize and discuss 
the results of the cryptanalysis. 
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Figure 1: Diagram of the encryption procedure. 



2. Description of the encryption scheme 

The encryption procedure defined in [7| is applied on colour plain-images of size M x N and coded in 
RGB format. The plain colour image is treated as a matrix I of size M x N x 3, whereas the cipher-image 
is given by I' also of size M x iV x 3. For the sake of clarity, we have first modified the notation used in [7|] 
and second divided the encryption method into four stages (see Fig.[T]): 

1. Rows permutations. 

The colour plain-image I is transformed into a gray-scale image Ir, of size 3Af x N, just by incorporating 
the rows of the green and blue components after the rows of the red one. Let P^ be a permutation 
matrix that transforms Ir into I^ by shuffling its rows in a pseudo-random way, through the iteration 
of the logistic map for control parameter equals to A^ and initial condition given by xr. The logistic 
map is defined by the iteration function 

f{x)^Xxil~x), (1) 

and the orbit {a;(i)}j can be generated from a given initial condition x(0) by doing x{i + 1) = f{x(i)). 

2. Columns permutations. 

The matrix I^ is converted into a matrix Ic of size M x 3iV, by combining horizontally (one after 
the other) the three groups of M rows that define Ijj. For each row of Ic, the pixels are permuted 
according to the corresponding row of a permutation matrix Pc. The resulting matrix is noted as 
I^. Again, this permutation matrix is obtained by iterating the logistic map in this case with control 
parameter Ac and initial condition xc- 

3. Selection of the next pixel to encrypt. 

Once pixels have been shuffled, substitution is performed using a keystream and selecting the pixel to 
encrypt based on a pseudo-random sequence {S(i)}^^^ , with S{i) € {0, 1, 2}. The sequence {S}^^^ 
determines if the next pixel to encrypt proceeds from either the first N columns (S(i) = 0), the second 
group of N columns {S{i) = 1), or the third set of columns (for S{i) = 2) of Ic*. In case all pixels 
of a band have been already selected, the pixel to encrypt is chosen from the next colour band (after 
the blue pixels, the next ones are the red). Consequently, a vector Is of length 3MN is obtained by 
reading each colour component of I^ from the first row and from the left to the right, according to 
the selection vector S. 

4. Substitution stage. 

Finally, the output of the previous step is masked using a keystream {B{i)}-^-^ . The update rule is 

given by 

T (.)^i (Isi^) + B{t))mod 256, t^l , 

^^' \ {Isii- I) + Isii)+Is{i- I) +B{i))mod 256, i = 2^iMN ^' 

The resulting cipher-image I is derived from Ib using S, i.e., by grouping the pixels of I^ into colour 
components in the reversed order that they were grabbed from I^ to build up I5. 

According to [7|, the secret key of the cryptosystem consists of the set of values {Ai?, x^, Ac, a^c}, which 
are used to compute two orbits of the logistic map (Eq. ([T|)). Those orbits are the core of the procedures to 
generate the permutation matrices P^ and Pc, the pseudo-random sequence S, and the keystream B. As 
we discuss below, the cryptanalysis of the cryptosystem can be carried out independently of those generation 
procedures. For a more detailed description of any of those procedures or other design details, please refer 
to Sec. 2.1 of 0. 

3. Design weaknesses 

As result of our previous work on the field of chaos-based cryptography [8| , we can conclude that the most 
critical problems in chaotic cryptography are linked to three aspects: the selection of the chaotic system, the 
choice of an encryption architecture, and the implementation of the cryptosystem. In the specific scenario 



depicted by [7[ , there exist some problems that we have previously highhghted in regards to both the selection 



Those problems inform about 



of the chaotic system and the encryption architecture [9|, |lO|, lul, lid , 
non exhaustive description of the cryptosystem, but also about security breaches. The drawbacks of the 
cryptosystem definition are derived in Sec. 13.11 by studying the key space of the cryptosystem on account 
of the dynamical properties of the underlying chaotic map, and in Sec. 13.21 through the discussion of the 
diffusion property of the encryption architecture. The security analysis is the core of Sec. U) 



3.1. Non exhaustive definition of the key space 

One major concern in chaotic cryptography is on designing cryptosystems in such a way that the under- 
lying dynamical systems evolves chaotically [13|, Rule 5]. In the case of the logistic map (and other maps), 
this resorts to the evaluation of the Lyapunov exponent in order to guarantee chaoticity (see Fig. [2). As a 
matter of fact, after the Myrberg-Feigenbaum point (A « 3.5699456) it cannot be asserted that the logistic 
map is always chaotic due to the existence of a dense set of periodic windows (i.e., of values of A implying 
regular and non stochastic behavior 14j). 




Figure 2: Lyapunov exponent of the logistic map with respect to the control parameter A. The selection of Xji and Xq should 
be performed guaranteeing chaoticity, i.e., positive values for the Lyapunov exponent. 

Additionally, in [7[ the use of the logistic map relies not only on its positive rate of local divergence, 
but also on its topological properties. Certainly, the permutation of columns and rows is conducted by 
the ordering of chaotic orbits of the logistic map of length 3MN and 3M, respectively. In this sense, we 
should assess whether the number of possible permutations on the values of those orbits is at least equal 
to the number of possible initial conditions. The number of initial conditions is given by the inverse of 
the machine epsilon |15l p. 37], which is 2^^ for double precision floating-point arithmetic. On the other 
hand, the number of possible permutations on a given orbit of length L is L\. In the case of deterministic 
dynamical systems, this upper value is not reached due to the existence of a set of forbidden permutations 
[l6|. If we restrict our discussion to dynamical systems with iteration function fx defined as a scalar, then 
the cardinality of the set of possible permutations of an orbit is upper bounded by e^''*°p'-'^^-' [17|, where 
htop is the topological entropy of the map f\ [l8|. For unimodal maps the topological entropy can be 
easily computed according to the theory of applied symbolic dynamics [l9| and, in some cases, it is even 
possible to give a closed analytical form [20[ . In Fig. [3] we show the topological entropy of the logistic map 



with respect to the control parameter. According to the scope depicted by the permutation phases of the 
cryptosystem defined in |7|, the control parameter should be selected in such a way that htop{f\) is greater 
than log{2^^)/(3M). If we consider that the smallest value for M and N is 128, then the previous restriction 
is satisfied for A above 3.57538. This fact implies a reduction of the key space as defined in [7| and, although 
it is not a large shortening, it indeed informs about the needs of using not only the Lyapunov exponent but 
also the topological entropy as core of the selection of the keys of the cryptosystem. 




Figure 3: Topological entropy of the logistic map. 

Finally, another problem when defining the key space of the cryptosystem arises from the symmetry 
of the iteration function of the logistic map. As it is commented in |2l|, the fact that Eq. ([T|) satisfies 
f{x) = /(I — x) implies that xr and (1 — xr) are equivalent sub-keys for decryption. The same applies to 
xc and (1 — xc)- 

3.2. Low sensitivity to the change of plain-image 

In the context of cryptography a minor change in the input of a cryptosystem should imply a major 
change in the corresponding output [13|, Rule 9]. In this respect, if we take into account two images Iq 
and Ii with only one different pixel, then the associated cipher- images should be very different. To assess 
this property for the cryptosystem in [7|, we have encrypted the images in Fig. 2] using as key Xr = 4, 
XR = 0.1234567898765, Ac = 3.99, and xc = 0.56789123456789. The differential cipher-image is equal 
to zero for a meaningful set of pixels, which informs about the limitations of the diffusion property of the 
cryptosystem given in [7| regarding changes in the plain-image. 



4. Security analysis: vulnerability against a chosen-plaintext attack 

According to [2^ p. 25], the security assessment of any cryptosystem must be carried out (at least) with 
respect to four basic attacks: 

• Ciphertext-only attack: the cryptanalysis only knows the result of encryption. 

• Known-plaintext attack: several pairs of plaintext and ciphertext are accessible for the cryptographer. 

• Chosen-plaintext attack: the attacker gains access to the encryption machine and performs cryptana- 
lysis by selecting adequate plaintexts. 





(a) 



(b) 
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Figure 4: Example on the low sensitivity to the change of the plain-image: (a) the first plain-image; (b) first plain-image with 
the center pixel of each colour band equals to 255; (c) XOR between the cipher-image corresponding to the original plain-image 
and that of the modified one. 



• Chosen-ciphertcxt attack: the decryption machine can be used by the cryptanalyst, which chooses 
ciphertcxts in order to extract information about the secret parameters of the cryptosystem. 

In this section we show that the cryptosystem described in [7| does not exclude the successful application 
of a chosen-plaintext attack. 

4.I. Breaking the confusion stage 

As it has been pointed out in Sec. [2l the encryption scheme consists of two classes of procedures: permu- 
tation and substitution of pixels. The main weakness of the proposal is a consequence of the independence 
between the shuffling stages and the last stage, i.e., the one concerning the substitution of pixels. This 
fact can be exploited by means of the following divide- and- conquer attack, using as bottom-line chosen 
plain-images which are neutral elements with respect to row/column permutations l6|. In this sense, if one 
encrypts a plain-image with all pixels equal to the same value, then the output of the shuffling procedures 
is the same plain-image. Moreover, if the plain-image is selected forcing all rows/columns being equal, then 
encryption only shuffles columns/rows. 

In correspondence to the previous comments, we can mount an attack based on a chosen plain-image 
with all pixels equals to zero. Let I be a colour image with all pixels equal to zero, which implies that 
Is{i) = for z = 1 ~ 3MN. Taking into account Eq. (0), we have 

i 

lB{i) = ^B{j) mod 256, (3) 

for i = 2 ^ iMN . From the previous equation we can find the value of B{i) just by subtracting /^(i — 1) 
from Ib (i) ■ 

If we want to apply the recovered B to get any I5 from the corresponding I^, then S must be obtained. 
This commitment can be accomplished using a second constant value plain-image. For instance, we can use 
a chosen plain-image with all pixels equal to one. This being the case, we have /s(i) = 1 for z = 1 ~^ 3MN 
and 

i 

lB{i) = J2^B{j)+2j-l} mod 256, (4) 

for i = 1 ^ 3MN. Let us focus on the image given as the difference between the cipher-images obtained 
from 1 = and 1 = 1 respectively. Since the difference between Eq. ([3]) and Eq. (|4]) is equal to (2j — 1) 
mod 256, the components of S are determined by looking for the pixel with value (2j — 1) mod 256 in each 
colour band of that difference image. If that pixel belongs to the red component, then S{j) = 0; if it is one 
of the green pixels, then S{j) = 1; finally, S{j) = 2 leads to a pixel in the blue band. 

4-. 2. Permutation- only ciphers 

Once the substitution keystrcam B and the selection vector S have been obtained, it is possible to 
reconstruct the input of the shuffling procedures according to 2l|, l231j. This new goal is going to be achieved 



by using [log25g(3M x 3MN)~\ chosen plain-images. In this paper we restrict our analysis to images of the 
same size as those used in [7[, i.e., images of size 256 x 256 and, consequently, four chosen-plain images are 
required to elude the permutation-only phase. 

In order to validate our crypt analysis, we have configured an encryption machine by selecting the key 
defined by the set Xr = 4, xr = 0.1234567898765, Ac = 3.99, and xc = 0.56789123456789. Upon the 
assumption of having access to the encryption machine, we encrypt an image equal to zero and an image 
with all pixels equal to 1. The cryptanalysis described in Sec. 14.11 is applied, and thus the keystream 
B and the pseudo-random sequence S arc recovered. As it is commented in similar cryptanalysis works 



^The reader is referred to these papers for a rigorous study on the security of permutation-only ciphers. Here the description 
is Hmited to the minimum details required to carry out the implied cryptanalysis. 



2ll . y, |2J], the recovering of those sequences is equivalent to getting the secret key. Nevertheless, the 



complete cryptanalysis of the cryptosystcm in |7| demands to infer a permutation matrix representing the 
composition of the permutation procedures lead by Pr and Pc- This goal can be achieved by using plain- 
images with all rows/columns equals. To illustrate the cryptanalysis we are going to extract the original 
positions of the pixels of the first row of I . First, we encrypt a plain-image with each colour component 
determined by 

/ ■•• \ 
1 1 1 ■•• 1 



\ 255 255 255 



255 / 



If we consider the vector Ri of length 768 given by the concatenation of the first row of red, green, and 
blue component of the cipher-image, it is easy to verify that it contains only three values. The values 
corresponding to the selected secret key are 93, 203, and 223, which indicates that the first row of the cipher 
image comes from either the row 93, 203, 223 of either of the colour components of the plain image. In order 
to establish the colour band of each of the three candidates for row permutation, we encrypt a plain-image 
with red component with all pixels equal to zero, green band being 1, and blue component being 2. Then, 
we look for the occurrences of 0, 1, and 2 in the first row of each colour component of the cipher-image. The 
intersection of this new vector of indexes of occurrence with the previous one enables to conclude that Ri 
contains the row 93 of the blue band of the plain-image, the row 203 of the red component of the plain-image, 
and the row 223 of the red component of the plain- image. After identifying the source of the first row of I', 
we need to label each pixel of the rows identified as sources of that row. This aim is fulfilled if we encrypt 
a colour image with its three colour components equal to 



/ 1 2 
1 2 



V 1 2 



255 \ 
255 



255 / 



Afterwards, we look for the occurrences of i = ~ 255 through the vector Ri . The indexes of occurrence 
are given by the set Vi. Let us begin with Vb, which is {120, 356, 68} for the selected key. The set Vq implies 
that either of the referred pixels comes from the first pixel of either the row 93 of the blue component, the 
red row number 203, or the row 223 of the red band of the plain-image. To select the proper value among 
the three candidates for the three identified pixels, we encrypt an plain-image such that the row 93 of the 
blue component is 

(0 12 ■ • • 253 254 255) , 



the red row number 203 

(255 1 2 

and the row 223 of the red band is defined as 



253 254) , 



(254 255 1 2 ••• 253). 

Again, we look for through Ri and we obtain the indexes of occurrence 235, 356, and 556. Only 356 
is included in the previous set Vb, and as a result we have that the first pixel of the row 93 of the blue 
component of I goes to the pixel 100 (100 = 356 mod 256) of the first row of the green component of I'. If 
we proceed in the same fashion with Vi for i > 0, then we obtain the permutations for all the pixels of the 
row 93 of the blue band of the plain-image. The same applies to the row 203 (223) of the red band, but 
taking into account that the first pixel of the row is now labeled by 255 (254). 

If one applies the previous methodology for all the rows of the cipher-image, then the permutation matrix 
can be inferred. In this sense, we have applied the cryptanalysis based on the six chosen plain-images to an 
encryption machine with secret key A^, = 4, xr = 0.1234567898765, Ac = 3.99, and xc = 0.56789123456789. 



The cryptanalysis allows to get S, B, and the permutation matrix, which is equivalent to obtain the secret 
key. To verify this assertion we have encrypted an image (the result is in Fig.[SJa)), applied the cryptanalysis, 
and decrypted the cipher-image using the outputs of the cryptanalysis. The decrypted image is the one in 
Fig. [5jb) , which coincides with the original plain-image. 




■'■ijS& 
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Figure 5: Application of the chosen-plaintext attack:(a) a cipher-image obtained using A^ = 4, xn = 0.1234567898765, 
Ac = 3.99, and xq = 0.56789123456789; (b) the decrypted plain-image using the kcystreams and the permutation matrix 
inferred via the chosen-plaintext attack. 



5. Conclusions 



In this paper we have studied in detail a recent proposal in the area of chaos-based cryptography. We 
have underlined some problems related to the dynamical properties of the system sustaining encryption, 
and we have also pinpointed some flaws related to the encryption architecture. The goal of our work was 
not simply to show the problems of a given chaotic cryptosystem, but to highlight the possibility of creating 
secure proposals to encr ypt information using chaos. In this flavour, our recommendation is on the line of 
the set of rules given in 13l.l8l.l2|. 
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